A lot of companies are asking this question.
According to a study by the Ponemon Institute, the average consolidated total cost of a data breach is now $3.62 million—with the cost incurred for each lost or stolen record averaging about $141.
Despite the high cost, however, today’s chief information security officers (CISOs) face a dilemma. They need budget for cybersecurity upgrades, but their boards of directors or CEOs want to invest the money elsewhere—namely on initiatives that will grow revenue.
The increasing frequency of security incidents doesn’t help matters either. It can actually end up desensitizing companies to the potential impact of data breaches, resulting in little or no money being allotted for security technology.
How much cybersecurity investment is enough
To quote the old adage, it’s better to be safe than sorry. Despite the reluctance of some corporate executives, investing in beefed up security measures is definitely a smart choice. Which begs the question, what’s the right amount to spend on advanced security technology?
Drs. Lawrence Gordon and Martin Loeb, researchers at the University of Maryland’s Robert H. Smith Business School, have developed an economics-based model to use as a guideline.
According to the Gordon-Loeb model, a company’s cybersecurity budget should not exceed 37% of the losses it would expect from a security breach. Investing any more, they say, would outweigh the unexpected benefits.
Of course, the dollar amount will depend a lot on the size of the company and how much its security infrastructure needs to be upgraded or expanded.
Is cyberinsurance a good option?
While cyber insurance is still a relatively new phenomenon, approximately 50 major providers now offer this type of coverage. In fact, it’s become the fastest growing area of the insurance business.
There are four types of cyber insurance coverage:
1) Data breach and privacy management—for the costs, including legal fees, involved in managing and recovering from data breaches, including credit protection for the victims
2) Multimedia liability coverage—for the defacement of websites, media and intellectual property rights
3) Extortion liability coverage—for damages incurred from ransomware attacks
4) Network security liability coverage—for incidents such as third-party thefts or DDoS attacks
While a cyber insurance policy provides peace of mind, it does nothing to protect customers’ data and a company’s reputation. It’s no substitute for implementing the latest protocols and best practices.
In short, an ounce of prevention—investing in the right technology—is worth a pound of cure. And as your customers’ trusted IT advisor, you can provide valuable guidance on the right measures they need to take to mitigate the risks.